Re: cgiemail installs owned by root in /usr/lib/cgi-bin
Antonio Rodriguez wrote:
> I noticed that when installing cgiemail it is set as owned by root,
> same as other scripts simultaneously installed in /usr/lib/cgi-bin
> The danger of being root owned would be in the fact that it can
> virtually do anything.
no, it can't. If root owns an executable, and www-data runs it,
it can only do what www-data can do.
This is just the same as if you run /bin/cat, for example; although it's
owned by root, it runs with your permissions, not root's; when you run it,
it does not have permission to read or write any file like root does.
e.g:
$ cat /etc/shadow
cat: /etc/shadow: Permission denied
A special permission called "setuid" exists to make programs run as the
owner of the executable instead of the user who's running them, but it is
used as little as possible to prevent security holes due to bugs.
for example, if you run as root:
chmod +s /bin/cat
then as non-root:
cat /etc/shadow
you will be able to read the /etc/shadow (shadow password file) although
you don't normally have permission to!
*** don't forget to remove this permission again (as root)! :
chmod -s /bin/cat
This setuid feature doesn't work for scripts (such as cgiemail), it only
works for compiled executables. Apparently there is more of a security
risk if scripts can be setuid, although I'm not quite sure why; so it's
not permitted by the kernel at all.
This is probably a lot more than you ever wanted to know about
unix permissions :)
Sam
Reply to: